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The EFDPO appreciates the opportunity to present its comments to the recently published 
EDPB draft Guidelines 10/2020. 


General comments 


The problem of instructions addressed to national parliaments 


In general, we very much welcome that EDPB publishes its views on the interpretation of Article 
23 of the GDPR. We fully agree with most of the EDPB's conclusions presented in this 
proposal. It cannot be, however, overlooked that the EDPB, in addition to the EU legislators’, 
mainly addresses the parliaments of individual Member States (although, as the EDPB rightly 
points out, Article 23 allows derogations to be adopted by national law instruments other than 
parliamentary laws). 


National parliaments are the supreme representation bodies of citizens in the individual 
Member States. Although the supremacy of European law over national law is widely 
acknowledged and some powers of national parliaments have been transferred to the EU level, 
this does not change the fact that parliaments in the Member States remain the highest 
legislative body adopting national law. It is important to bear in mind that the GDPR is directly 
and immediately applicable. 


Parliaments are empowered to enact legal acts at their own discretion (of course in compliance 
with the Member State's obligations under international law and treaties as well as with the 
requirements of European law). 


From this point of view, it must be examined whether an EU (administrative) body can issue 
guidelines that are binding on national parliaments and have legal effect. Article 70 (1) GDPR 
defines the tasks of the Committee. In addition to monitoring and advisory tasks, these also 
include the provision of guidelines (lit. d, f, g, h, i, j, m) as well as the issuing of opinions. In our 
opinion, guidelines should therefore not be understood as "soft law". From this point of view, 
the chosen form of the EDPB document, i.e. guidelines within the meaning of Article 70(1)(e) 
of the GDPR, appears to be a potentially appropriate legal instrument. 


We believe that Article 70 of the GDPR cannot be interpreted or applied in a way that would 
entitle the EDPB to influence the activities of national parliaments under soft law. If the 
European legislator intended to confer such a power on the EDPB, even if the Treaties allowed 
so, it would certainly be expressly stated in Article 70 (in the light of the doubts set out above). 
Purely consultative role of the national supervisory authorities in the national legislative 
procedure is regulated in Article 36 (4) of the GDPR. 


The conflict of fundamental rights 

Furthermore, we would like to provide general comments to the argumentation relying on 
Article 52 of the EU Charter of Fundamental Rights, as stated, for example, in point 2 of the 
Guidelines. We believe that Article 52 (1) of the Charter cannot be applied in the sense 
indicated by the EDPB where there is a conflict between several equally important fundamental 
rights. In such circumstances, equally strong and important interests need to be balanced. This 


1 We leave aside the impact of the restriction according to Article 23 on legislative activity at EU level, where the GDPR as a 
regulation can of course be amended by another regulation (as the EDPB also focuses in its draft guidelines on exemptions 
provided for by national law). 
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may apply to the discussed Article 23 of the GDPR, e.g. under paragraph 1 (i) or (j). This may 
be particularly restrictive, for example, to the requirement to comply with the notion of "strictly 
necessary" mentioned in point 42 of the proposal. 


General public interest requirement 

The guidelines seem to link the exemptions under Article 23 (1) solely with the notion of 
"general interest" or "general public interest" (see, for example, point 39 or 42). It should be 
noted that some of the exceptions under Article 23 (1) do not have to be aimed at protecting 
the “general interest” but rather the interest of the individual (see Article 23 (1) (i) (j) of the 
GDPR). 


Requirements for Member States' authorities compared to the practice of the EU 
institutions 

We generally agree with EDPB's interpretation of Article 23 (2) and the requirements set out 
therein. However, we must point out that it would be appropriate to align the requirements 
under Article 23 (2) of the GDPR with the practice of some EU institutions in limiting the rights 
of data subjects under Article 25 of EU Regulation 2018/1725 (as declared in the acts 
published in Official Journal). Decisions regarding these restrictions are in some cases 
formulated in a very general way and without further additional information value for data 
subjects. The references to the general public interest thus seem unsubstantiated. 


Comments on individual points: 


Point 33. We do not consider the example given here to be appropriately chosen, as it rather 
aims at the matters regulated (except for whistleblowing) by EU Directive 2016/680. We believe 
that it would be more appropriate to use another example, which would better demonstrate the 
difference between matters regulated by the GDPR and matters regulated by EU Directive 
2016/680 (as correctly stated, for example, in point 24 of the proposal by reference to rec. 19 
of the GDPR). 


Point 66: In our view the documentation under Art. 5 (2) GDPR shall include documentation 
of restrictions based on Art.23 GDPR. However, we disagree with the idea that the 
documentation according to Art. 5 (2) GDPR shall be made available to the SA. The respective 
consideration in point 66 is not an aspect of Art. 23 GDPR and therefore out of the scope of 
Guideline 10/2020. Moreover, this view collides with the fundamental right against self- 
incrimination. 


Point 67. We consider the full involvement of the DPO in the Art. 23 compliance process 
appropriate. It is the DPO's very own task to monitor and control compliance with data 
protection rights. With functioning processes, an unnecessary administrative burden is not to 
be assumed. Furthermore, the comprehensive involvement of the DPO, in addition to quality 
assurance, also serves to minimise risk for the data subject and consequently also for the 
controller with regard to its functioning processes. 


We are grateful for the opportunity to provide our comments on the draft guideline. 
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EFDPO contacts: 

EFDPO Press Office, phone +49 30 20 62 14 41, email: office@efdpo.eu, 
President: Thomas Spaeing (Germany) 

Vice Presidents: Xavier Leclerc (France), Judith Leschanz (Austria), Inés Oliveira 
(Portugal), Vladan Ramis (Czech Republic) 


About EFDPO 


The European Federation of Data Protection Officers (EFDPO) is the European umbrella 
association of data protection and privacy officers. Its objectives are to create a European 
network of national associations to exchange information, experience and methods, to 
establish a continuous dialogue with the political sphere, business representatives and civil 
society to ensure a flow of information from the European to the national level and to 
proactively monitor, evaluate and shape the implementation of the GDPR and other European 
privacy legal acts. In doing so, the EFDPO aims to strengthen data protection as a competitive 
and locational advantage for Europe. The new association is based in Brussels. 


Effective members: 

e Austria: privacyofficers.at — Verein Österreichischer betrieblicher und behordlicher 
Datenschutzbeauftragter 

Czech Republic: Spolek pro ochranu osobních údajů 

France: UDPO, Union des Data Protection Officer - DPO 

Germany: Berufsverband der Datenschutzbeauftragten Deutschlands (BvD) e. V. 
Greece: Hellenic Association for Data Protection and Privacy (HADPP) 
Liechtenstein: dsv.li-Datenschutzverein in Liechtenstein 

Portugal: APDPO PORTUGAL Associação dos Profissionais de Proteção e de Segurança 
de Dados 

Slovakia: Spolok na ochranu osobných údajov 

e Switzerland: Data Privacy Community 


